Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Perl form user input

by FreeBeerReekingMonk (Deacon)
on Jun 10, 2019 at 09:38 UTC ( [id://11101191]=note: print w/replies, xml ) Need Help??


in reply to Perl form user input

Try to find the "untaint" function in the code, I suspect that there is a regexp that is s/[^A-Za-z0-9]//g removing all "weird" characters, and that includes the space.

Replies are listed 'Best First'.
Re^2: Perl form user input
by Anonymous Monk on Jun 10, 2019 at 16:32 UTC
    Could this sub be doing it? (i notice "remove any spaces") 
    ############################# Subroutines ###########################
### PARSE SUBROUTINE
sub parse_formx {
     local ($name, $value, $pair, $buffer, @pairs);

     if ($ENV{'REQUEST_METHOD'} eq 'GET') {
         # Split the name-value pairs
         @pairs = split(/&/, $ENV{'QUERY_STRING'});
     }
     elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
 
            # Clear buffer and Get the input
            $buffer = "";
            read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
            # Split the name-value pairs
            @pairs = split(/&/, $buffer);

     }else {

            &error("Bad request method, Use POST or GET");
            exit;
      }
     #determine name and variable for each pair
     foreach $pair (@pairs) {

      # Split into name and value.  
      ($name, $value) = split(/=/, $pair);

      # Ignore The Submit Button
      if($name =~ /submit/i) { next; }

      $name =~ tr/+/ /;
      $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
 
      $value =~ tr/+/ /;
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;    
+                                                                     
+                                                                     
+         

      # Remove Any Possible System Shell Commands Or SSI's Etc.
      $name =~ s/~!/ ~!/g;
      $name =~ s/<!--(.|\n)*-->//g;
      $value =~ s/~!/ ~!/g;
      $value =~ s/<!--(.|\n)*-->//g;

      $value =~ s/^\s+//gms;           # remove any leading spaces
      $value =~ s/\s+$//gms;           # remove any trailing spaces
      $value =~ s/\s{2,}/ /gms;        # remove any 2 spaces and put o
+nly 1
      $value =~ s/\|//g;               # removes any Intruder tamperin
+g
      $value =~ s/~//g;
      $value =~ s/\`//g;               # removes any server side inclu
+des
      $value =~ s/\~//g;               # removes any server side inclu
+des
      $value =~ s/\"//g;               # removes quotes 
      $value =~ s/\;//g;               # removes html
      $value =~ s/\<//g;               # removes html
      $value =~ s/\>//g;               # removes html
      $value =~ s/\s+//g;               # remove any spaces
       $value =~ s/^[\s]+|[\s]+$//gm;           # remove any spaces

      $FORM{$name} = $value;

      }

      return %FORM;
} # end of sub

    [download]
[reply]
[d/l]
      $value =~ s/\s+//g; # remove any spaces

      This is the line that is removing all whitespace from the values. You could probably comment it out (put a # at the beginning of the line), although that will affect all form values.

      As I said, this is a very old style of Perl CGI. I would strongly recommend a security audit and, at least at some point, an overhaul.

[reply]
[d/l]
[select]
        Wow that did it! I really appreciate everyone's contribution in this. Thanks again,
[reply]
      Maybe? Please use code tags!!!
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11101191]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (6)
As of 2024-04-19 07:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found